SSH COOKBOOK V2A SSH TOOLS SUITE PRESENTATION

ENHANCED VERSIONCreated by / Jean-Marie Renouard @jmrenouard

http://www.jmrenouard.fr/

WHAT'S SSH ?SSH is a secure TCP communication protocol.SSH v2 is base standard in all distributions.SSH allows you to connect securely to server.SSH avoid attack such man in the middle.

SSH BASIC USAGEConnect to server REF01.mynetwork as osuser

$ ssh osuser@REF01.mynetwork

WHAT'S NEXT ?Password is asked.

Password is checked based on system.Input password is crypted.Result is compared with /etc/shadow information.

Comparaison failed : command fails, simple !

osuser@REF01.mynetwork's password :

AND WHEN IT IS OK ...Comparaison successed SSH asks system for a new shell session.Shell session is based on /etc/passwd info.7th and last field of /etc/passwd is shell path.Default Welcome Message

Last login: Thu Mar 20 23:26:46 2014 from 192.168.X.X

Then, You've got a shell ( Bash for instance )A shell as a local shell remotely / securely !

SHELL IS GREATCtrl-d : Kill the connection immediately.Ctrl-l : Clean your screenCtrl-r : Search in bash history on the serverReadline powered.bash_history : command history.bash_profile and .bashrc for personal shell customisation(alias, functions, ...)

BORING ASPECT OF SSH

ONE CONNECTION MEANS ONE PASSWORD CHECK.Password typingNo human error probe

Ctrl-d, exit, kill -9 0, killall bash, ...Kill/terminate Shell session means :

All processes launched from Shell session are also killed.You JUST have to REconnect and REtype your password.REtype your command even if it's long time taking.

AVOIDING PASSWORD TYPINGThanks God, it is possible to connect without passord typing.It is as secure as password typing.Maybe more secure:

No password Excel File on networkNo Agile Access info Post-it on ScrumBoard :)

SSH KEY GENERATION

2 FILES MUST BE GENERATED1. Red key : .ssh/id_rsa is your Private SSH key

Keep it secret2. Blue key: .ssh/id_rsa.pub is your Public SSH key.

SSH KEY GENERATION COMMANDKey Generation Command:

Hey, it is asking me a F*** password !!!Leave it empty :)

ssh-keygen -t rsa

SSH KEY DEPLOYMENTPublic Key Deployment Command:

ssh-copy-id -i .ssh/id_rsa.pub ossuer@REF01.mynnetwork

It is asking a password for a last time ....

AND ALL IS OK ?On the server, .ssh/authorized_keys contains the content ofyour public key.Try to connect one again.

NO MORE PASSWORD ....Magic Simple, Easy and secure ....

ssh osuser@REF01.mynetwork

IS IT ALL ?How to automate this process ?

Library Expect :library interacting with shell programmaticaly.You can script an interactive scenario.And you can execute it automatically.

BETTER THAN A SHELLYOU CAN ALSO REMOTELY EXECUTE A COMMAND.

Shutdown the server

Execute a remote python script

Know load average on REF01 server

ssh root@REF01.mynetwork shutdown -h now

ssh osuser@REF01.mynetwork \ "python remoteScript.py"

ssh osuser@REF01.mynetwork uptime

PERL EXPECT#!/usr/bin/perluse strict;use Expect;

my $timeout=1;my $command="ssh ".$ARGV[0]." ".$ARGV[2];my $exp = Expect->spawn($command) or die "Cannot spawn $command: $!\n";$exp->raw_pty(1);LOGIN:$exp->expect($timeout, [ 'ogin: $' => sub { $exp->send("luser\n"); exp_continue; } ], [ 'yes\/no\)\?\s*$' => sub { $exp->send("yes\n"); goto LOGIN; } ], [ 'assword:\s*$' => sub { $exp->send($ARGV[1]."\n"); exp_continue; } ], '-re', qr'[#>:] $');$exp->soft_close();

REMOTE EXECUTE A LOCAL SCRIPTPYTHON, BASH, PHP, RYBY, JAVA, ALL INTERPRETERS

Interpreter must be present on the remote server

Simple Python Script: hello.py

Remote execute script:ssh-exec

Usage

#!/usr/bin/pythonprint "Hello World !"

#!/bin/shINTERPRETER=$(head -n 1 $2 | sed -e 's/#!//')cat $2 | grep -v "#" | ssh -t $1 $INTERPRETER

ssh-exec osuser@REF01.mynetwork hello.py

FILE TRANSFERT OVER SSHUsing the input/output redirection.

Compressing on fly.

Compression by SSH himself.

cat myLocalFile | \ ssh osuser@REF01.mynetwork \ "cat > myRemoteFile"

cat myLocalFile | \ gzip | \ ssh osuser@REF01.mynetwork \ "gzip > myRemoteFile"

cat myLocalFile |\ ssh -C osuser@REF01.mynetwork \ "cat > myRemoteFile"

DIRECTORIES OVER SSHCommands using input/output for directorytar UNIX archiver command works with stdin and stdout

Better solutionA kind of cp based on SSHv2 protocol

Best solutionIncremental copy

tar -czf – myDir | \ ssh -C osuser@ref01.mynetwork \ "mkdir myDir;cd myDir ;tar -xzf -"

scp -rp mydir osuser@ref01.mynetwork:myDir

rsync -avz myDir osuser@ref01.mynetwork:myDir

MULTIPLE HOST COMMANDSSIMPLE SHELL LOOP ON 3 SERVERS

for host in server1 server2 server3; do echo "* Updating $host" ssh -C root@${host}.mynetwork "yum -y update"done

SIMPLE SHELL LOOP ON SERVER1 TO SERVER100for i in ̀seq 1 100̀; do host=server${i}.mynetwork echo "*Updating $host" ssh -C root@${host} "yum -y update"done

MULTIPLE HOST COMMANDS IN PARALLELFORKING SUBSHELLS IN LOOP ON SERVER1 TO SERVER100for i in ̀seq 1 100̀; do ( host=server${i}.mynetwork echo "*Updating $host" ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log echo "* Updating $host ..DONE" )&done

Output and Errors are stored in individual log file per host

MULTIPLE HOST COMMANDS IN PARALLELFORKING SUBSHELLS IN LOOP FROM A FILE

while read host; do ( echo "*Updating $host" ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log echo "* Updating $host ..DONE" )&done < "${1:-/proc/${$}/fd/0}"

Server are reading from a file or from stdinA file with one server name by lineOutput and Errors are stored in individual log file per host

PORT FORWARDINGOPEN A LOCAL PORT AND REDIRECT IT THROUGHT SSHssh -L2000:localhost:80 user@host1

Open a local port 2000 and redirect I/O to server port 80 onhost1ssh -L8080:host2:80 user@host1

Open a local port 8080 and redirect I/O to server port 80 onhost2Using SSH to host1 to access host2 server

REVERSE PORT FORWARDINGOPEN A REMOTE PORT ON SERVER AND REDIRECT IT

THROUGHT SSH TO CLIENTssh -R 2000:localhost:80 user@host1

Open a port 2000 on host1Redirect I/O ond this port to local port80

ssh -R 8080:host2:80 user@host1

Open a remote port 8080 on host1Redirect I/O to server host2 on port 80 from ssh client hostUsing SSH to host1 to access host2 server

USEFUL SCRIPTSssh-copy-id, included in openssh-clients in all distributionsssh-installkeys, ssh key installer

Fusefs, Filesystem over SSHMUSSH, Multihost SSHperl-Net-SSH-Expect, automate connection without ssh keysscanssh, scan hosts with SSHsshpass, password cracker for SSH

PROJECTS FOR MASSIVE REMOTE EXECUTIONAnsible in PythonChef in RubyRex in PerlRundeck in JavaEnvoy in PHPShunt in PHPSSHKitDO It in Ruby

PROJECTS FOR SSH MANAGEMENTGateOne, Web SSH clientStorm in Python, manage your SSH identitiesSSHRC, transport your config everywheregit deliver, deliver files from git and SSHSShuttle, the poor's man VPN Solution

STELLAR LINKSCode samples in Bash and Perlhttp://www.jmrenouard.frFollow me on Twitter

THE ENDBY JEAN-MARIE RENOUARD / JMRENOUARD.FR